- Identify which log sources and automated tools you can use during the analysis.
- Copy log records to a single location where you will be able to review them.
- Minimize “noise” by removing routine, repetitive log entries from view after confirming that they are benign.
- Determine whether you can rely on logs’ time stamps; consider time zone differences.
- Focus on recent changes, failures, errors, status changes, access and administration events, and other events unusual for your environment.
- Go backwards in time from now to reconstruct actions after and before the incident.
- Correlate activities across different logs to get a comprehensive picture.
- Develop theories about what occurred; explore logs to confirm or disprove them.
Typical Log Locations
- Linux OS and core applications: /var/log
- Windows OS and core applications: Windows Event Log (Security, System, Application)
- Network devices: usually logged via Syslog; some use proprietary locations and formats.
- Successful user login- “Accepted password”, “Accepted publickey”, "session opened”
- Failed user login- “authentication failure”, “failed password”
- User log-off- “session closed”
- User account change or deletion- “password changed”, “new user”, “delete user”
- Sudo actions- “sudo: … COMMAND=…”, “FAILED su”
- Service failure- “failed” or “failure”
Event IDs are listed below for Windows 2000/XP. For Vista/7 security event ID, add 4096 to the event ID.Most of the events below are in the Security log; many are only logged on the domain controller.
- User logon/logoff events -Successful logon 528, 540; failed logon 529-537, 539; logoff 538, 551, etc
- User account changes- Created 624; enabled 626; changed 642; disabled 629; deleted 630
- Password changes- To self: 628; to others: 627
- Service started or stopped- 7035, 7036, etc.
- Object access denied (if auditing enabled)- 560, 567, etc
Look at both inbound and outbound activities. Examples below show log excerpts from Cisco ASA logs; other devices have similar functionality.
- Traffic allowed on firewall- “Built … connection”, “access-list … permitted”
- Traffic blocked on firewall- “access-list … denied”, “deny inbound”; “Deny … by”
- Bytes transferred (large files?)- “Teardown TCP connection … duration … bytes …”
- Bandwidth and protocol usage- “limit … exceeded”, “CPU utilization”
- Detected attack activity- “attack from”
- User account changes- “user added”, “user deleted”, “User priv level changed”
- Administrator access- “AAA user …”, “User … locked out”, “login failed”
- Excessive access attempts to non-existent files
- Code (SQL, HTML) seen as part of the URL
- Access to extensions you have not implemented
- Web service stopped/started/failed messages
- Access to “risky” pages that accept user input
- Look at logs on all servers in the load balancer pool
- Error code 200 on files that are not yours
- Failed user authentication- Error code 401, 403
- Invalid request- Error code 400
- Internal server error- Error code 500
- Windows event ID lookup: www.eventid.net
- A listing of many Windows Security Log events: http://www.ultimatewindowssecurity.com/securitylog/encyclopedia/Default.aspx
- Log analysis references: www.loganalysis.org
- A list of open-source log analysis tools: securitywarriorconsulting.com/logtools
- Anton Chuvakin’s log management blog: securitywarriorconsulting.com/logmanagementblog
- Other security incident response-related cheat sheets: zeltser.com/cheat-sheets